diff --git a/.github/workflows/add-issue-labels.yaml b/.github/workflows/add-issue-labels.yaml index fabc11450cc..afa4f830711 100644 --- a/.github/workflows/add-issue-labels.yaml +++ b/.github/workflows/add-issue-labels.yaml @@ -3,12 +3,23 @@ on: issues: types: [opened] +permissions: + contents: read + jobs: triage: + permissions: + contents: read # for github/issue-labeler to get repo contents + issues: write # for github/issue-labeler to create or remove labels runs-on: ubuntu-latest steps: # Update .github/labeler.yml for new dialects - - uses: github/issue-labeler@v3.2 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + with: + egress-policy: audit + + - uses: github/issue-labeler@98b5412841f6c4b0b3d9c29d53c13fad16bd7de2 # v3.2 with: configuration-path: .github/labeler.yml include-title: 1 diff --git a/.github/workflows/add-to-release-notes.yml b/.github/workflows/add-to-release-notes.yml index d962b5b4789..858a0c294a2 100644 --- a/.github/workflows/add-to-release-notes.yml +++ b/.github/workflows/add-to-release-notes.yml @@ -6,12 +6,23 @@ on: push: branches: - main +permissions: + contents: read + jobs: draft-release: + permissions: + contents: write # for release-drafter/release-drafter to create a github release + pull-requests: write # for release-drafter/release-drafter to add label to PR runs-on: ubuntu-latest if: github.repository == 'sqlfluff/sqlfluff' steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + with: + egress-policy: audit + - name: Update release notes - uses: release-drafter/release-drafter@v6 + uses: release-drafter/release-drafter@6a93d829887aa2e0748befe2e808c66c0ec6e4c7 # v6.4.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/ci-pr-comments.yml b/.github/workflows/ci-pr-comments.yml index 7efa6217e79..ee84371adea 100644 --- a/.github/workflows/ci-pr-comments.yml +++ b/.github/workflows/ci-pr-comments.yml @@ -19,8 +19,13 @@ jobs: if: > github.event.workflow_run.event == 'pull_request' steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + with: + egress-policy: audit + - name: 'Download txt artifact' - uses: actions/github-script@v6 + uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1 with: script: | const artifacts = await github.rest.actions.listWorkflowRunArtifacts({ @@ -44,7 +49,7 @@ jobs: run: unzip cov-report.zip - name: Update PR comment with coverage report. - uses: actions/github-script@v6 + uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/ci-test-dbt.yml b/.github/workflows/ci-test-dbt.yml index 8bc21550a06..63544415d5a 100644 --- a/.github/workflows/ci-test-dbt.yml +++ b/.github/workflows/ci-test-dbt.yml @@ -28,6 +28,9 @@ on: gh_token: required: true +permissions: + contents: read + jobs: modular-python-test: name: py${{ inputs.python-version }}-${{ inputs.dbt-version }} @@ -54,10 +57,15 @@ jobs: - 5432:5432 steps: - - uses: actions/checkout@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + with: + egress-policy: audit + + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: ${{ inputs.python-version }} cache: 'pip' @@ -77,7 +85,7 @@ jobs: run: tox -e ${{ inputs.dbt-version }} -- plugins/sqlfluff-templater-dbt - name: Upload coverage data (github) - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 if: ${{ inputs.coverage }} with: name: coverage-data-py${{ inputs.python-version }}-${{ inputs.dbt-version }} diff --git a/.github/workflows/ci-test-python.yml b/.github/workflows/ci-test-python.yml index 93ecea9bba5..47b59f8b16e 100644 --- a/.github/workflows/ci-test-python.yml +++ b/.github/workflows/ci-test-python.yml @@ -29,15 +29,23 @@ on: gh_token: required: true +permissions: + contents: read + jobs: modular-python-test: runs-on: ubuntu-latest name: py${{ inputs.python-version }} steps: - - uses: actions/checkout@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + with: + egress-policy: audit + + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: ${{ inputs.python-version }} cache: 'pip' @@ -81,7 +89,7 @@ jobs: for file in .coverage.*; do mv "$file" "$file.$COVSUFFIX"; done; - name: Upload coverage data (github) - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 if: ${{ inputs.coverage }} with: name: coverage-data-py${{ inputs.python-version }}-${{ inputs.marks }} diff --git a/.github/workflows/ci-tests.yml b/.github/workflows/ci-tests.yml index 8e083d0228e..8f675354dd4 100644 --- a/.github/workflows/ci-tests.yml +++ b/.github/workflows/ci-tests.yml @@ -26,6 +26,9 @@ on: # https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#merge_group types: [checks_requested] +permissions: + contents: read + jobs: linting: @@ -50,9 +53,14 @@ jobs: python-version: "3.12" name: ${{ matrix.job }} tests steps: - - uses: actions/checkout@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + with: + egress-policy: audit + + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: ${{ matrix.python-version }} - name: Install dependencies @@ -160,9 +168,14 @@ jobs: ymlchecks: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + with: + egress-policy: audit + + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: '3.13' - name: Install dependencies @@ -186,9 +199,14 @@ jobs: runs-on: ubuntu-latest name: example tests steps: - - uses: actions/checkout@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + with: + egress-policy: audit + + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: '3.13' - name: Install dependencies @@ -207,13 +225,18 @@ jobs: runs-on: windows-latest name: Python 3.13 Windows tests steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + with: + egress-policy: audit + - name: Set git to use LF run: | git config --global core.autocrlf false git config --global core.eol lf - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: "3.13" - name: List Env @@ -232,7 +255,7 @@ jobs: mkdir temp_pytest python -m tox -e winpy -- --cov=sqlfluff -n 2 test -m "not integration" - name: Upload coverage data (github) - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: coverage-data-winpy3.13 path: ".coverage.*" @@ -243,6 +266,11 @@ jobs: runs-on: windows-latest name: dbt Plugin Python 3.12 Windows tests steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + with: + egress-policy: audit + - name: Start PostgreSQL on Windows run: | $pgService = Get-Service -Name postgresql* @@ -255,9 +283,9 @@ jobs: run: | git config --global core.autocrlf false git config --global core.eol lf - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: # NOTE: As of 2024-10-10, dbt does not yet support python 3.13. python-version: "3.12" @@ -278,11 +306,16 @@ jobs: if: github.event_name == 'pull_request' name: pip install tests steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + with: + egress-policy: audit + - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: "3.13" - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Install dependencies run: | pip install . @@ -307,15 +340,20 @@ jobs: runs-on: ubuntu-latest needs: [python-version-tests, dbt-tests, python-windows-tests, dialect-tests] steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v5 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + with: + egress-policy: audit + + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: "3.13" - run: python -m pip install --upgrade coverage[toml] - name: Download coverage data. - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: pattern: coverage-data-* merge-multiple: true @@ -332,7 +370,7 @@ jobs: python -m coverage report --fail-under=100 --skip-covered --skip-empty -m | tee coverage-report.txt - name: Upload HTML report if check failed. - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: html-report path: htmlcov @@ -349,7 +387,7 @@ jobs: # NOTE: We don't actually comment on the PR from here, we'll do that in # a more secure way by triggering a more secure workflow. # https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: txt-report path: | diff --git a/.github/workflows/create-release-pull-request.yaml b/.github/workflows/create-release-pull-request.yaml index 222d048664b..d88bd6b37b6 100644 --- a/.github/workflows/create-release-pull-request.yaml +++ b/.github/workflows/create-release-pull-request.yaml @@ -11,7 +11,12 @@ jobs: run: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + with: + egress-policy: audit + + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Abort if branch already exists run: | _check_branch=$(git ls-remote --heads origin prep-${{ github.event.inputs.newVersionNumber }}) @@ -23,7 +28,7 @@ jobs: fi - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: '3.11' @@ -39,7 +44,7 @@ jobs: GITHUB_REPOSITORY_OWNER: ${{ secrets.GITHUB_REPOSITORY_OWNER }} - name: Create pull request - uses: peter-evans/create-pull-request@v7 + uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7.0.11 with: delete-branch: true branch: prep-${{ github.event.inputs.newVersionNumber }} @@ -68,7 +73,7 @@ jobs: skip-changelog - name: Update release title and tag - uses: release-drafter/release-drafter@v6 + uses: release-drafter/release-drafter@6a93d829887aa2e0748befe2e808c66c0ec6e4c7 # v6.4.0 with: # NOTE: We should eventually actually populate the date here, but that # will most likely change before the new pull request actually gets diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index 566cb674796..40886904a84 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -11,16 +11,21 @@ jobs: CS_XML: pre-commit.xml SKIP: no-commit-to-branch steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + with: + egress-policy: audit + - run: sudo apt-get update && sudo apt-get install cppcheck if: false - - uses: actions/checkout@v4 - - uses: actions/setup-python@v5 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 if: false with: cache: pip python-version: 3.12.1 - run: python -m pip install pre-commit - - uses: actions/cache/restore@v4 + - uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: ~/.cache/pre-commit/ key: pre-commit-4|${{ env.pythonLocation }}|${{ hashFiles('.pre-commit-config.yaml') @@ -31,19 +36,19 @@ jobs: pre-commit gc pre-commit run --show-diff-on-failure --color=always --all-files | tee ${RAW_LOG} - name: Convert Raw Log to Checkstyle format (launch action) - uses: mdeweerd/logToCheckStyle@v2024.3.5 + uses: mdeweerd/logToCheckStyle@0f7f54e70ac8c5c047d427f8be956794e8d654e2 # v2024.3.5 if: ${{ failure() }} with: in: ${{ env.RAW_LOG }} out: ${{ env.CS_XML }} - - uses: actions/cache/save@v4 + - uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 if: ${{ ! cancelled() }} with: path: ~/.cache/pre-commit/ key: pre-commit-4|${{ env.pythonLocation }}|${{ hashFiles('.pre-commit-config.yaml') }} - name: Provide log as artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 if: ${{ ! cancelled() }} with: name: precommit-logs diff --git a/.github/workflows/publish-dbt-templater-release-to-pypi.yaml b/.github/workflows/publish-dbt-templater-release-to-pypi.yaml index c271889fd1c..fdf946803fd 100644 --- a/.github/workflows/publish-dbt-templater-release-to-pypi.yaml +++ b/.github/workflows/publish-dbt-templater-release-to-pypi.yaml @@ -6,12 +6,20 @@ on: - published workflow_dispatch: +permissions: + contents: read + jobs: run: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v5 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + with: + egress-policy: audit + + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: "3.10" @@ -28,7 +36,7 @@ jobs: run: cp -r plugins/sqlfluff-templater-dbt/dist/. dist/ - name: Publish Python distribution to PyPI - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # release/v1 with: user: __token__ password: ${{ secrets.PYPI_DBT_TEMPLATER_TOKEN }} diff --git a/.github/workflows/publish-sqlfluff-docker-image-to-dockerhub.yaml b/.github/workflows/publish-sqlfluff-docker-image-to-dockerhub.yaml index dc389ded2e8..05e5e9adeb3 100644 --- a/.github/workflows/publish-sqlfluff-docker-image-to-dockerhub.yaml +++ b/.github/workflows/publish-sqlfluff-docker-image-to-dockerhub.yaml @@ -10,6 +10,9 @@ on: env: TEST_TAG: ${{ secrets.DOCKERHUB_USERNAME }}/sqlfluff:test +permissions: + contents: read + jobs: docker: runs-on: ubuntu-latest @@ -21,31 +24,36 @@ jobs: steps: # Get the version of latest release in # order to tag published Docker image. + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + with: + egress-policy: audit + - name: Get latest release name id: latest_release - uses: pozetroninc/github-action-get-latest-release@master + uses: pozetroninc/github-action-get-latest-release@53d33d213ee71c72360e3c829caf7cee94ec21e2 # master with: repository: ${{ github.repository }} # Setup QEMU and Buildx to allow for multi-platform builds. - name: Set up QEMU id: docker_qemu - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 - name: Set up Docker Buildx id: docker_buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 # Authenticate with DockerHub. - name: Login to DockerHub id: docker_login - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} # Authenticate with Container registry - name: Login to Container registry - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -54,7 +62,7 @@ jobs: # Build amd64 image to use in the integration test. - name: Build and export to Docker id: docker_build - uses: docker/build-push-action@v5 + uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0 with: load: true tags: ${{ env.TEST_TAG }} @@ -72,7 +80,7 @@ jobs: # N.B. We tag this image as both latest and with its version number. - name: Build and push id: docker_build_push - uses: docker/build-push-action@v5 + uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0 with: push: true platforms: linux/amd64,linux/arm64 @@ -86,7 +94,7 @@ jobs: # Add artifact attestation for GHCR - name: Generate artifact attestation - uses: actions/attest-build-provenance@v2 + uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2.4.0 with: subject-name: ghcr.io/${{ github.repository }} subject-digest: ${{ steps.docker_build_push.outputs.digest }} diff --git a/.github/workflows/publish-sqlfluff-release-to-pypi.yaml b/.github/workflows/publish-sqlfluff-release-to-pypi.yaml index 0eb9dd3675b..5a21eb2a756 100644 --- a/.github/workflows/publish-sqlfluff-release-to-pypi.yaml +++ b/.github/workflows/publish-sqlfluff-release-to-pypi.yaml @@ -6,12 +6,20 @@ on: - published workflow_dispatch: +permissions: + contents: read + jobs: run: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v5 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + with: + egress-policy: audit + + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: "3.10" @@ -23,7 +31,7 @@ jobs: run: tox -e build-dist - name: Publish Python distribution to PyPI - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # release/v1 with: user: __token__ password: ${{ secrets.PYPI_TOKEN }}